Nmap CheatSheet

Resources

• Official Documentation & Core Concepts
  • By Nmap: https://nmap.org/book/man-port-scanning-techniques.html
  • By habr (RU): Article 1 | Article 2
  • By xakep (RU): https://xakep.ru/2017/03/31/nmap-for-hackers/
• Practical Guides & Walkthroughs
  • By securityguill: https://securityguill.com/nmap.html
  • By nikolamilekic: https://notes.nikolamilekic.com/Nmap
• Scripting & Automation
  • By OffSec: https://www.offsec.com/blog/pythonizing-nmap/
  • Edits by gh0x0st: https://github.com/gh0x0st/pythonizing_nmap/

Commands

• Ping Sweep a Subnet
  • Scans a CIDR range, saves output to tnet files, and extracts live hosts.

    nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5

• Ping Sweep from a List
  • Same as above, but reads targets from a file.

    nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

• Ping Sweep Multiple IPs
  • Scans specified individual IP addresses.

    nmap -sn -oA tnet 10.129.2.18 10.129.2.19 10.129.2.20| grep for | cut -d" " -f5

• ICMP Echo Request
  • Uses -PE for a standard ping, --packet-trace to see the packets, and --reason to understand why a host is up or down.

    nmap 10.129.2.18 -sn -oA host -PE --packet-trace --reason

  • Add --disable-arp-ping to rely only on ICMP on a local network.

    nmap 10.129.2.18 -sn -oA host -PE --packet-trace --disable-arp-ping

• Scan All Ports & Save All Formats
  • The -p- flag scans all 65,535 TCP ports. -oA saves the output in Normal, XML, and Grepable formats.

    nmap 10.129.2.28 -p- -oA target

• Convert XML to HTML Report
  • Creates a user-friendly HTML report from the XML output.

    xsltproc target.xml -o target.html

• Detailed Version Scan
  • Disables ping (-Pn), DNS resolution (-n), and ARP ping. Focuses on a specific port (-p 445) and shows packet trace and reason.

    nmap 10.129.2.28 -Pn -n --disable-arp-ping --packet-trace -p 445 --reason -sV

• Noisy Version Scan
  • --version-all increases intensity. --data-length adds junk data to packets.

    nmap -sV --version-all --data-length 20 -p 22,80,443 192.168.1.100

• Show Scan Statistics
  • --stats-every=5s provides a progress update every 5 seconds.

    nmap 10.129.2.28 -p- -sV --stats-every=5s

• Fast Scans (Top Ports)
  • -F scans the top 100 ports. The timeout options make it faster on reliable networks.

    nmap 10.129.2.0/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms

• No Retries
  • --max-retries 0 tells Nmap not to retry sending a packet if no response is received. Good for quick scans where accuracy is less critical.

    nmap 10.129.2.0/24 -F --max-retries 0

• Guaranteed Scan Rate
  • --min-rate 300 ensures Nmap sends at least 300 packets per second.

    nmap 10.129.2.0/24 -F -oN tnet.minrate300 --min-rate 300

• Rapid Initial Mass-Scan (RIM Sweep)

  What is a RIM Sweep? --min-hostgroup and --min-rate are increased dramatically to scan in parallel at high speed.

  This technique is for rapidly scanning large numbers of hosts for a few key ports.

  nmap -Pn -n -p 22,80,443,3389,2222 -iL discovery/ranges.txt -oA discovery/hosts/rmisweep --min-hostgroup 256 --min-rate 1280

• Large Network Discovery
  • This is designed for huge ranges like a /16.

    # First, find gateways
    grep 'Up' gateways.gnmap | cut -d' ' -f2 > ranges.txt
    # Then format for scanning
    sed -i ranges.txt -e 's/$/\/24/'
    # Scan the discovered subnets
    nmap -sn 10.0-255.0-255.1 -PE --min-hostgroup 10000 --min-rate 10000

• Packet Fragmentation
  • -f splits packets into smaller fragments. --mtu 16 sets a specific (and small) Maximum Transmission Unit.

    nmap -f 192.168.0.1
    nmap --mtu 16 192.168.0.1

• Packet & Data Manipulation
  • Change the outgoing source port, often to a common one like 53 (DNS).

    nmap --source-port 53 192.168.0.1

  • Add random or specific data to packets to make them look more legitimate.

    # Add 25 bytes of random data
    nmap --data-length 25 192.168.0.1
    # Add a specific hex string (HTTP/1.1)
    nmap --data 0x485454502F312E310D0A -p 80 192.168.1.100
    # Add a specific string
    nmap --data-string "GET / HTTP/1.1" -p 80 192.168.1.100

• Decoys & IP Spoofing
  • Hide your real IP among a series of decoys. RND:5 creates 5 random, alive hosts as decoys.

    nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

  • Set a specific source IP address (-S) and interface (-e).

    nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

• Vulnerability Scanning
  • --script vuln runs all scripts in the “vuln” category against open ports.

    nmap 10.129.2.28 -p 80 -sV --script vuln

---

Field Notes & Theory

Default Scan Behavior

By default, nmap <target> scans the top 1000 TCP ports using a SYN scan (-sS).

Understanding Port States

Nmap only reports a port as closed when it receives a definitive RST (reset) packet in response. If a firewall blocks the port or no response is received, Nmap will report it as filtered.

Timing Templates ( -T parameter)

Nmap has preset timing templates for convenience, from slowest/stealthiest to fastest/noisiest.

• -T0: paranoid (very slow, for IDS evasion)
• -T1: sneaky
• -T2: polite (reduces network load)
• -T3: normal (default)
• -T4: aggressive (assumes a fast, reliable network)
• -T5: insane (very aggressive, may sacrifice accuracy)

Blending In with -sT

A good way to avoid some detection for TCP scans is to use the TCP Connect scan (-sT) instead of the default SYN scan (-sS). This uses your operating system’s native socket calls to make full connections, which can make the scan traffic blend in with other legitimate client connections.

Table of the Ports State